Setting a global standard for cybersecurity in the IoT
The value of data in an information-driven society makes any connected device a prime target for cyber attacks. Back when devices operated offline or were only accessible physically, over short-range network links, the threat was limited; only devices that were physically accessible were at risk.
By Alex Leadbeater, Chair of ETSI Technical Committee CYBER.
This limited susceptibility nurtured a complacent design culture in terms of security requirements. Now, too many of the devices being added to the IoT continue to be based on hardware and software practices that belong to a previous generation.
Because of the lack of potential threat, there has never been a need for a global security standard. But for all its amazing benefits, the internet does not respect boundaries, if there is a way of accessing a device online, someone will find it. Today, there is a very real need for such a standard, but the electronics industry is a convoluted, competitive arena. While there are examples of collaboration for mutual gain, it needs a completely independent body to bring a global security standard to bear.
Understanding the security paradigm
Many of the product types affected today didn't exist a generation ago; the internet has totally remodelled the technology landscape. There is now a huge amount of product diversity with one common feature; connectivity. It ranges from children's toys, baby monitors, smoke detectors, smart door locks, smart cameras, TVs and speakers, wearable health trackers, connected appliances such as washing machines and fridges, and smart home assistants.
The security in these embedded systems has failed to keep pace with the threat. Manufacturers commonly employ practices such as shipping products with easily guessable administrator passwords. This is just one mistake that cyber criminals exploit in order to mount attacks. Now that these connected devices are also easily discoverable over the internet, cyber attacks are almost inevitable. Though it might sound simple, this is a complex problem to fix globally and consistently, so IoT product designers and manufacturers need expert guidance to help solve it.
To address this, ETSI's mix of experts and consumer stakeholders fused their ideas and knowledge to create the European standard, EN 303 645, which for the first time establishes a baseline level of security for connected devices. This baseline provides clear guidance on ensuring security without impacting the competitive nature of product design.
Another ETSI initiative, the upcoming TS 103 701, will specify test scenarios for assessing products against the provisions of EN 303 645. The assessment is designed to be used by testing labs and certifying bodies, as well as manufacturers that wish to self-assess. It will also be used to provide input to the common cyber security certification framework that was proposed in the EU’s Cyber security Act. The outcome may be mandatory use of penetration and vulnerability testing in all IoT products sold in Europe.
The standard took its initial input from a project which began in 2018. A team in the ETSI Technical Committee CYBER started working on the topic and released the technical specification TS 103 645 in February 2019. It was the first standard to address poor security practices in consumer IoT device development. The work behind it forms the basis for the ongoing efforts to improve the security and resilience of the consumer IoT.
Building on a solid foundation
The EN 303 645 standard and its foundation, the TS 103 645 specification, along with other forthcoming support documents are intended to provide a framework for demonstrating effective security in IoT products and services. The standard’s approach is outcome-focused rather than relying on prescriptive measures. By choosing an outcome-based approach for the recommendations in the standard, organisations have the flexibility to innovate and implement security solutions appropriate for their products.
The means that, rather than demanding the use of a particular authentication scheme, it highlights the benefits of contemporary measures and best practices, such as individualised passwords or two-factor authentication. The working group behind the standard recognises that security is a moving target and that prescriptive approaches cannot meet the challenges of an environment where hackers and criminals are continually tuning their techniques for greater impact and efficiency.
Following the release of EN 303 645, the technical specification TS 103 645 will continue to be developed in tandem. These efforts are designed to form the baseline for security implementation in IoT-oriented systems; later work will focus on moving that baseline up.
Total lifecycle protection
An important aspect of these efforts is that they don't just focus on the security of IoT devices while they are operational but address the privacy and security needs across a range of issues in the product lifecycle that can occur at any point, from design, manufacture and deployment, to eventual disposal. For example, the manufacturer or service provider needs to provide mechanisms for users to ensure all personal data items can be deleted from the device when it is retired from service or otherwise disposed.
Vendors need to ensure they make it possible to apply software updates to devices as they become necessary, to continue to address vulnerabilities discovered after manufacture. Hand-in-hand with that is the requirement for a vulnerability disclosure policy that provides a means for security researchers and others to report security issues in a responsible way and ensure that the concerns are addressed responsibly.
The EN 303 645 standard addresses all these points, as well others that include making devices resilient to power outages (another known attack surface); minimising the exposure of other attack surfaces, making it easy, rather than difficult, for the legal owner to install and maintain devices. The focus is on the technical controls that matter most in addressing these significant and widespread security shortcomings. The result is a high baseline level of security for all IoT devices.
While it is not a certification system in and of itself, the TS 103 645 specification can form the basis of an enforcement regime, if nation states want to use it in this way. Within the context of use within the European Union (EU), for example, EN 303 645 has a clear relationship with the EU’s General Data Protection Regulation (GDPR), which stipulates that any organisation with access to personal data provides adequate safeguards to ensure those details cannot be stolen.
The standard provides a basis for demonstrating the use of best practice if a vendor falls under suspicion of negligently releasing personal data.
Standards underpin accreditation schemes
Some assurance schemes have already adopted TS 103 645 as their basis. One example is the Finnish Transport and Communications Agency Traficom. It launched a cybersecurity label in November 2019, which guarantees that labelled devices have basic information security features. The label is awarded to networking smart devices if the devices meet the certification criteria that are based on the specification.
The British Standards Institution (BSI) has launched a Kitemark certification scheme for IoT-connected devices that is based on TS 103 645. Similarly, the UK’s DTG digital-TV organisation is planning a cyber security conformance scheme for smart TVs based on the specification.
The IoT Security Foundation (IoTSF) has published a mapping document that translates the high-level provisions of ETSI TS 103 645 to the more detailed requirements contained in their IoT Security Compliance Framework. Government agencies in other countries are also looking to use the standard for their own legislation and certification efforts.
EN 303 645 sets a standard for IoT security and privacy that represents a massive uplift to the current state of IoT device manufacturer. The working group responsible for the standardisation process found a balance between delivering expert guidance without prescribing dramatic changes or imposing requirements that would negatively impact the competitive nature of the end markets affected.
As a result, manufacturers and member states can meet a common security level and have access to the specification they need to achieve the dramatic improvement in IoT security that was so desperately needed. By delivering it as a phased approach, initial improvements will be almost immediate, while future work will ensure the baseline continues to be raised. The tangible results of these efforts will result in best practices in security being more widely adopted, giving all stakeholders an excellent foundation on which to build even better and more secure solutions.